5 Integrating Oracle Access Manager and Oracle Identity Manager

This chapter explains how to integrate Oracle Access Manager with Oracle Identity Manager.

The instructions in this chapter use Oracle Internet Directory as an example directory server only. Refer to the system requirements and certification documentation on Oracle Technology Network for more information about supported configurations. For more information, see Section 1.4, "System Requirements and Certification."

IDSTORE_HOST and IDSTORE_PORT are the host and port, respectively, of your identity store directory. If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com.)

IDSTORE_BINDDN Is an administrative user in the identity store directory.

IDSTORE_USERSEARCHBASE is the location in the directory where users are stored.

IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.

IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.

Name this file preconfigPropertyFile or similar as you will use it to preconfigure the identity store in the next step.

Use this properties file to perform general configuration of the identity store with the following command:

IDSTORE_HOST and IDSTORE_PORT are the host and port, respectively, of your identity store directory. If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com.)

IDSTORE_BINDDN is an administrative user in the identity store directory.

IDSTORE_USERSEARCHBASE is the location in the directory where users are stored.

IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.

IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.

IDSTORE_SYSTEMIDBASE is the location in your directory where the Oracle Identity Manager reconciliation user are placed.

IDSTORE_READONLYUSER is the name of a user you want to create which has Read Only permissions on your Identity Store.

IDSTORE_READWRITEUSER is the name of a user you want to create which has Read/Write permissions on your identity store.

IDSTORE_SUPERUSER is the name of the administration user you want to use to log in to the WebLogic Administration Console in the Oracle Fusion Applications domain.

IDSTORE_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Oracle Access Manager is running to connect to the LDAP server.

IDSTORE_OAMADMINUSER is the name of the user you want to create as your Oracle Access Manager Administrator.

IDSTORE_OIMADMINUSER is the name of the administration user you would like to use to log in to the Oracle Identity Manager console.

IDSTORE_OIMADMINGROUP is the name of the group you want to create to hold your Oracle Identity Manager administrative users.

OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the name of the group to hold users who have access to the Oracle Access Manager administration console.

Name this file preparePropertyFile or similar as you will use it to prepare the identity store in the next step.

Use this properties file to perform component-specific configuration of the identity store for integration using the following command:

Check that the links for "Forgot Password", "Self Register" and "Track Registration" appear on the login page.

3

Log in as an Oracle Identity Manager administrator (the user referred to in Step 6 of Section 5.2).

The Oracle Identity Manager Admin Page should be accessible.

4

Create a new user on the Oracle Identity Manager Admin Page.

Close the browser and try accessing the Oracle Identity Manager Admin Pages. When prompted for login, provide valid credentials for the newly-created user.

You should be redirected to Oracle Identity Manager and required to reset the password.

5

Close the browser and access the Oracle Identity Manager Admin Page.

The Oracle Access Manager login page from the Oracle Access Manager managed server should come up. Verify that the links for "Forgot Password", "Self Register" and "Track Registration" are available in the login page. Check that each link works.

6

To check that lock/disable works, open a browser and log in as a test user. In another browser session, log in as xelsysadm and lock the test user account. Click the Logout link on the OIM console.

The user must be logged out and redirected back to the login page.

To test SSO logout, log in to the Oracle Identity Manager console as test user/xelsysadm.

Upon logout from the page, it must redirect to the SSO logout page.

5.6 Additional Configuration

This section describes additional configuration that you may need to perform depending on your requirements.

5.6.2 Loading the Nexaweb Applet in an Integrated Environment

In an Oracle Identity Manager and Oracle Access Manager (OAM) integrated environment, when you login to the Oracle Identity Manager Administrative and User Console and click a link that opens the Nexaweb applet, configuration is required to enable loading of the NexaWeb Applet. The steps are as follows:

Log in to the Oracle Access Manager Console.

Create a new Webgate ID. To do so:

Click the System Configuration tab.

Click 10Webgates, and then click the Create icon.

Specify values for the following attributes:

Name: NAME_OF_NEW_WEBGATE_ID

Access Client Password: PASSWORD_FOR_ACCESSING_CLIENT

Host Identifier: IAMSuiteAgent

Click Apply.

Edit the Webgate ID, as shown:

set 'Logout URL' = /oamsso/logout.html

Deselect the Deny On Not Protected checkbox.

Install a second Oracle HTTP Server (OHS) and Webgate. During Webgate configurations, when prompted for Webgate ID and password, use the Webgate ID name and password for the second Webgate that you provided in step 2c.

Login to the Oracle Access Manager Console. In the Policy Configuration tab, expand Application Domains, and open IdMDomainAgent.

Expand Authentication Policies, and open Public Policy. Remove the following URLs in the Resources tab:

/xlWebApp/.../*

/xlWebApp

/Nexaweb/.../*

/Nexaweb

Expand Authorization Policies, and open Protected Resource Policy. Remove the following URLs in the Resources tab:

/xlWebApp/.../*

/xlWebApp

/Nexaweb/.../*

/Nexaweb

Restart all the servers.

Update the obAccessClient.xml file in the second Webgate. To do so:

Create a backup of the SECOND_WEBGATE_HOME/access/oblix/lib/ObAccessClient.xml file.

Open the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file.

Note:

Ensure that the DenyOnNotProtected parameter is set to 0.

Copy the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file to the SECOND_WEBGATE_HOME/access/oblix/lib/ directory.

Copy the mod_wls_ohs.conf from the FIRST_OHS_INSTANCE_HOME/config/OHS_NAME/directory to the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/ directory. Then, open the mod_wls_host.conf of the second OHS to ensure the WebLogicHost and WeblogicPort are still pointing to Oracle Identity Manager managed server host and port.

Remove or comment out the following lines in the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/httpd.conf file:

<LocationMatch "/oamsso/*">
Satisfy any
</LocationMatch>

Copy the logout.html file from the FIRST_WEBGATE_HOME/access/oamsso/ directory to the SECOND_WEBGATE_HOME/access/oamsso/ directory. Then, open the logout.html file of the second Webgate to ensure that the host and port setting of the SERVER_LOGOUTURL variable are pointing to the correct OAM host and port.

Login to Oracle Access Manager Console. In the Policy Configuration tab, expand Host Identifiers, and open the host identifier that has the same name as the second Webgate ID name. In the Operations section, verify that the host and port for the second OHS are listed. If not, then click the add icon (+ sign) to add them. Then, click Apply.

Use the second OHS host and port in the URL for the OAM login page for Oracle Identity Manager. The URL must be in the following format:

http://SECOND_OHS_HOST:SECOND_OHS_PORT/admin/faces/pages/Admin.jspx

Scripting on this page enhances content navigation, but does not change the content in any way.